about summary refs log tree commit diff
path: root/app/controllers
AgeCommit message (Collapse)Author
2021-11-25Add trending links (#16917)Eugen Rochko
* Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
2021-11-06Fix reviving revoked sessions and invalidating login (#16943)Claire
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-11-04Fix statuses order in account's statuses admin page (#16937)Jeong Arm
2021-10-18Add remove from followers api (#16864)Takeshi Umeda
* Add followed_by? to account_interactions * Add RemoveFromFollowersService * Fix AccountBatch to use RemoveFromFollowersService * Add remove from followers API
2021-10-14Add graphs and retention metrics to admin dashboard (#16829)Eugen Rochko
2021-10-13Fix error when rendering public pages with media attachments (#16763)Claire
* Add tests * Fix error when rendering public pages with media attachments * Add tests * Fix tests * Please CodeClimate
2021-09-30Fix webauthn secure key authentication (#16792)Claire
* Add tests * Fix webauthn secure key authentication Fixes #16769
2021-09-26Change routing paths to use usernames in web UI (#16171)Eugen Rochko
2021-09-15Fix followers synchronization mechanism not working when URI has empty path ↵Claire
(#16744) Follow-up to #16510, forgot the controller exposing the actual followers…
2021-08-26Explicitly set userVerification to discoraged (#16545)Truong Nguyen
2021-08-25Fix authentication failures after going halfway through a sign-in attempt ↵Claire
(#16607) * Add tests * Add security-related tests My first (unpublished) attempt at fixing the issues introduced (extremely hard-to-exploit) security vulnerabilities, addressing them in a test. * Fix authentication failures after going halfway through a sign-in attempt * Refactor `authenticate_with_sign_in_token` and `authenticate_with_two_factor` to make the two authentication steps more obvious
2021-08-25Fix undefined variable for Auth::OmniauthCallbacksController (#16654)Daniel
The addition of authentication history broke the omniauth login with the following error: method=GET path=/auth/auth/cas/callback format=html controller=Auth::OmniauthCallbacksController action=cas status=500 error='NameError: undefined local variable or method `user' for #<Auth::OmniauthCallbacksController:0x00000000036290> Did you mean? @user' duration=435.93 view=0.00 db=36.19 * app/controllers/auth/omniauth_callbacks_controller.rb: fix variable name to `@user`
2021-08-09Add feature to automatically delete old toots (#16529)Claire
* Add account statuses cleanup policy model * Record last inspected toot to delete to speed up successive calls to statuses_to_delete * Add service to cleanup a given account's statuses within a budget * Add worker to go through account policies and delete old toots * Fix last inspected status id logic All existing statuses older or equal to last inspected status id must be kept by the current policy. This is an invariant that must be kept so that resuming deletion from the last inspected status remains sound. * Add tests * Refactor scheduler and add tests * Add user interface * Add support for discriminating based on boosts/favs * Add UI support for min_reblogs and min_favs, rework UI * Address first round of review comments * Replace Snowflake#id_at_start with with_random parameter * Add tests * Add tests for StatusesCleanupController * Rework settings page * Adjust load-avoiding mechanisms * Please CodeClimate
2021-07-21Add logging of S3-related errors (#16381)Claire
2021-07-14Fix user email address being banned on self-deletion (#16503)Claire
* Add tests * Fix user email address being banned on self-deletion Fixes #16498
2021-07-08Add ability to skip sign-in token authentication for specific users (#16427)Eugen Rochko
Remove "active within last two weeks" exception for sign in token requirement Change admin reset password to lock access until the password is reset
2021-07-03Fix anonymous access to outbox not being cached by the reverse proxy (#16458)Claire
* Fix anonymous access to outbox not being cached by the reverse proxy Up until now, anonymous access to outbox was marked as public, but with a 0 duration for caching, which means remote proxies would only serve from cache when the server was completely overwhelmed. Changed that cache duration to one minute, so that repeated anonymous access to one account's outbox can be appropriately cached. Also added `Signature` to the `Vary` header in case a page is requested, so that authenticated fetches are never served from cache (which only contains public toots). * Remove Vary: Accept header from webfinger controller Indeed, we have stopped returning xrd, and only ever return jrd, so the Accept request header does not matter anymore. * Cache negative webfinger hits for 3 minutes
2021-06-21Fix serialization of followers/following counts when user hides their ↵Claire
network (#16418) * Add tests * Fix serialization of followers/following counts when user hides their network Fixes #16382 Signed-off-by: Claire <claire.github-309c@sitedethib.com>
2021-06-21Add authentication history (#16408)Eugen Rochko
2021-06-02Fix e-mail confirmations API not working correctly (#16348)Eugen Rochko
* Fix e-mail confirmations API not working correctly * Fix typo
2021-05-31Fix some IDs in instance actor outbox (#16343)Claire
2021-05-30Remove set-cookie header on custom.css (#16314)Jeong Arm
* Remove set-cookie header on custom.css * Additional fix for set-cookie
2021-05-22Fix media proxy RedisLocks auto-releasing too fast (#16291)Claire
Follow-up to #16276
2021-05-07Change trending hashtags to be affected be reblogs (#16164)Eugen Rochko
If a status with a hashtag becomes very popular, it stands to reason that the hashtag should have a chance at trending Fix no stats being recorded for hashtags that are not allowed to trend, and stop ignoring bots Remove references to hashtags in profile directory from the code and the admin UI
2021-05-06Add Ruby 3.0 support (#16046)Claire
* Fix issues with POSIX::Spawn, Terrapin and Ruby 3.0 Also improve the Terrapin monkey-patch for the stderr/stdout issue. * Fix keyword argument handling throughout the codebase * Monkey-patch Paperclip to fix keyword arguments handling in validators * Change validation_extensions to please CodeClimate * Bump microformats from 4.2.1 to 4.3.1 * Allow Ruby 3.0 * Add Ruby 3.0 test target to CircleCI * Add test for admin dashboard warnings * Fix admin dashboard warnings on Ruby 3.0
2021-05-05Add management of delivery availability in Federation settings (#15771)Takeshi Umeda
* Add management of delivery availavility in Federation settings * fix translate * Remove useless object creation * Fix DeepSource issue * Add shortcut for all * Fix DeepSource(skipcq) * Change 'remove' to 'clear' * Fix style * Change class method name (exhausted_deliveries_key_by)
2021-05-05Fix error when trying to render component for media without meta (#16112)Eugen Rochko
2021-05-05Fix database serialization failure returning HTTP 500 (#16101)Eugen Rochko
Database serialization failure occurs when a read-replica is used and a query takes long enough that rows on the primary database become unavailable. It should return HTTP 503 as it is temporary. Re-order rescue definitions according to their status codes
2021-05-03Change confirmations controller to redirect to / for approved users (#16151)Claire
Clicking the confirmation link multiple times currently leads to entering account settings, which can be confusing. This commit changes that so that it redirects to the root path, so it behaves the same way as clicking only once in most cases.
2021-04-26Further improve the media attached status query for accounts (#16106)abcang
2021-04-25Improve media attached status query (#16105)abcang
2021-04-24Change auto-following admin-selected accounts, show in recommendations (#16078)Eugen Rochko
2021-04-15Add `policy` param to `POST /api/v1/push/subscriptions` (#16040)Eugen Rochko
With possible values `all`, `followed`, `follower`, and `none`, control from whom notifications will generate a Web Push alert
2021-04-12Add cold-start follow recommendations (#15945)Eugen Rochko
2021-04-11Remove spam check and dependency on nilsimsa gem (#16011)Eugen Rochko
2021-04-03Add system checks to dashboard in admin UI (#15989)Eugen Rochko
2021-04-03Change health check (#15988)Eugen Rochko
2021-03-26Fix /admin/tags/:id crashing since Rails 6.1 update (#15953)Claire
Raw SQL passed to `pluck` now has to be explicitly marked as SQL via Arel.sql, see https://github.com/rails/rails/pull/27947
2021-03-26Add warning in admin dashboard if some required queues are not handled (#15954)Claire
2021-03-25Add `email` param to `POST /api/v1/emails/confirmations` (#15949)Eugen Rochko
Allow changing e-mail as long as the account is unconfirmed
2021-03-24Update Mastodon to Rails 6.1 (#15910)Claire
* Update devise-two-factor to unreleased fork for Rails 6 support Update tests to match new `rotp` version. * Update nsa gem to unreleased fork for Rails 6 support * Update rails to 6.1.3 and rails-i18n to 6.0 * Update to unreleased fork of pluck_each for Ruby 6 support * Run "rails app:update" * Add missing ActiveStorage config file * Use config.ssl_options instead of removed ApplicationController#force_ssl Disabled force_ssl-related tests as they do not seem to be easily testable anymore. * Fix nonce directives by removing Rails 5 specific monkey-patching * Fix fixture_file_upload deprecation warning * Fix yield-based test failing with Rails 6 * Use Rails 6's index_with when possible * Use ActiveRecord::Cache::Store#delete_multi from Rails 6 This will yield better performances when deleting an account * Disable Rails 6.1's automatic preload link headers Since Rails 6.1, ActionView adds preload links for javascript files in the Links header per default. In our case, that will bloat headers too much and potentially cause issues with reverse proxies. Furhermore, we don't need those links, as we already output them as HTML link tags. * Switch to Rails 6.0 default config * Switch to Rails 6.1 default config * Do not include autoload paths in the load path
2021-03-19Further preparation for Rails 6 (#15916)Claire
* Use ActiveRecord::Result#to_ary instead of deprecated to_hash They do the same thing, and to_hash has been removed from Rails 6.1 * Explicitly name polymorphic indexes to workaround a bug in Rails 6.1 cf. https://github.com/rails/rails/issues/41693 * Fix incorrect usage of “foreign_key” in migration script * Use `ActiveModel::Errors#delete` instead of deprecated clear method * Fix link headers tests on Rails 6.1 Rails 6.1 adds values to the Link header by default, thus it is not a LinkHeader object anymore. Fix the test to parse the Link header instead of assuming it is a LinkHeader.
2021-03-18Fix cache_collection crashing when given an empty collection (#15921)Claire
* Fix cache_collection crashing when given an empty collection * Add tests
2021-03-01Add `POST /api/v1/emails/confirmations` to REST API (#15816)Eugen Rochko
Only available to the application the user originally signed-up with
2021-03-01Add `details` to error response for `POST /api/v1/accounts` in REST API (#15803)Eugen Rochko
2021-02-26Fix crash on receiving requests with missing Digest header (#15782)Claire
* Fix crash on receiving requests with missing Digest header Return an error pointing out that Digest is missing, instead of crashing. Fixes #15743 * Fix from review feedback
2021-02-21Add server rules (#15769)Eugen Rochko
2021-02-19replace all instances of "ends_with?" with "end_with?" (#15745)Justin Tracey
The "ends_with?" method is just a Rails alias of Ruby's "end_with?" method. Using the latter makes the code less brittle.
2021-02-16Add `GET /api/v1/accounts/lookup` REST API (#15740)Eugen Rochko
2021-02-12Refactor Api::Web::SettingsController (#15717)Eugen Rochko